You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Akhil S Naik (JIRA)" <ji...@apache.org> on 2019/08/06 10:35:00 UTC
[jira] [Assigned] (AMBARI-25347) [Security Vulnerability] SSL
enabled Ambari's information exposed to port 8441
[ https://issues.apache.org/jira/browse/AMBARI-25347?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Akhil S Naik reassigned AMBARI-25347:
-------------------------------------
Assignee: Akhil S Naik
> [Security Vulnerability] SSL enabled Ambari's information exposed to port 8441
> ------------------------------------------------------------------------------
>
> Key: AMBARI-25347
> URL: https://issues.apache.org/jira/browse/AMBARI-25347
> Project: Ambari
> Issue Type: Bug
> Components: ambari-agent, ambari-server
> Affects Versions: 2.7.3
> Environment: ambari-2.7.3/ HDP-3.1
> Reporter: Gyan
> Assignee: Akhil S Naik
> Priority: Major
> Labels: security
>
> Description--
> State of Ambari-- Ambari is SSL enabled.
> Issue--
> Below URL's are exposed which can be accessed without getting logged into ambari via port 8441.
> 1- 'https://<ambari_server>:8441/users'
> Example--
> {code:java}
> {
> "href" : "https://172.25.40.23:8441/users",
> "items" : [
> {
> "href" : "https://172.25.40.23:8441/users/admin",
> "Users" : {
> "user_name" : "admin"
> }
> }
> ]
> }
> {code}
>
>
> 2- 'https://<ambari_server>:8441/services/AMBARI/components/AMBARI_SERVER'
> Example--
> {code:java}
> {
> "href" : "https://172.25.40.23:8441/services/AMBARI/components/AMBARI_SERVER",
> "RootServiceComponents" : {
> "component_name" : "AMBARI_SERVER",
> "component_version" : "2.7.3.0",
> "server_clock" : 1564744453,
> "service_name" : "AMBARI",
> "properties" : {
> "agent.package.install.task.timeout" : "1800",
> "agent.stack.retry.on_repo_unavailability" : "false",
> "agent.stack.retry.tries" : "5",
> "agent.task.timeout" : "900",
> "agent.threadpool.size.max" : "25",
> "ambari-server.user" : "root",
> "ambari.python.wrap" : "ambari-python-wrap",
> "api.ssl" : "true",.............................
> {code}
> 3- Using 'https://<ambari_server>:8441/services/AMBARI/components/AMBARI_AGENT'
>
> Example--
> {code:java}
> "href" : "https://172.25.40.23:8441/services/AMBARI/components/AMBARI_AGENT",
> "RootServiceComponents" : {
> "component_name" : "AMBARI_AGENT",
> "component_version" : "NOT_APPLICABLE",
> "service_name" : "AMBARI",
> "properties" : { }
> },
> "hostComponents" : [
> {
> "href" : "https://172.25.40.23:8441/services/AMBARI/hosts/c2236-node2.squadron-labs.com/hostComponents/AMBARI_AGENT",
> "RootServiceHostComponents" : {
> "component_name" : "AMBARI_AGENT",
> "host_name" : "c2236-node2.squadron-labs.com",
> "service_name" : "AMBARI"
> }
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)